CVE-2025-8064 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Bible SuperSearch plugin for WordPress, developed by aicwebtech. This vulnerability affects all versions up to and including 6.0.1. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and output escaping of the 'selector_height' parameter. Authenticated attackers with Contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. Because the injected scripts are stored persistently, they execute in the context of any user who accesses the affected page, enabling a range of malicious activities such as session hijacking, privilege escalation, or defacement. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based, requiring low attack complexity and privileges (Contributor or above), with no user interaction needed for exploitation. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the published date. This vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow authenticated users to submit parameters that are later rendered in pages without proper sanitization.

The impact of CVE-2025-8064 is significant for organizations running WordPress sites with the Bible SuperSearch plugin installed. Because the vulnerability allows stored XSS, attackers can inject malicious scripts that execute in the browsers of any users visiting the compromised pages. This can lead to theft of session cookies, enabling account takeover, unauthorized actions performed on behalf of users, defacement of site content, or distribution of malware. Since exploitation requires only Contributor-level access, an attacker who gains such access (e.g., via social engineering or compromised credentials) can leverage this vulnerability to escalate their influence and compromise other users, including administrators. The vulnerability does not directly impact availability but compromises confidentiality and integrity of user data and site content. Organizations with active user communities or multiple contributors are at higher risk. The medium CVSS score reflects a moderate but non-trivial risk that could be exploited in targeted attacks or automated campaigns if weaponized. The absence of known exploits in the wild suggests limited current exploitation but does not preclude future attacks.

To mitigate CVE-2025-8064, organizations should first check for updates or patches from the plugin vendor aicwebtech and apply them promptly once available. In the absence of official patches, administrators should consider temporarily disabling or removing the Bible SuperSearch plugin to eliminate the attack surface. Restrict Contributor-level access strictly to trusted users and audit existing users for suspicious accounts. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'selector_height' parameter. Employ Content Security Policy (CSP) headers to limit the impact of injected scripts. Review and sanitize all user inputs rigorously, especially those that are stored and rendered in pages. Regularly monitor logs and user activity for signs of exploitation attempts. Educate users about phishing and credential security to reduce the risk of unauthorized access. Finally, consider deploying security plugins that provide XSS protection and input validation enhancements for WordPress environments.